RSA Security data breach was reported to be one of the 10 largest breaches for 2011. It was reported on March 17, 2011 with the size of the breach being undisclosed. The information taken was related to SecureID technology. Based upon the data reported as stolen, the breach may not be the largest, but the type of information taken potentially affects numerous organizations which makes it an important breach to report on. For instance, in 2009, RSA had some 40 million tokens and 250 million mobile software versions deployed in roughly 25,000 organizations including banks, governments, and pharmaceuticals. RSA did not detail how the attack was carried out the attack or how long it took them to expose the compromise, but did recommend additional security steps for their customers to take including:
Increase their security focus for social media applications and websites
Enforce strong passwords and POD policies
Remind employees not to open suspicious e-mails or give their log-in credentials to people and other websites.
Should pay special attention to securing their active directories, while monitor for changes made in access level rights.
Add manual approval processes to change user access rights; following the “least privileges” methodology (just enough privileges to get the job done)
Limit remote and physical access to infrastructure hosting security software
Increase defenses to social engineering attacks
Update security software and operating systems.
What RSA Security reported was that attackers stole “certain information” including specifics associated with their SecurID two factor authentication products (such as the secrete algorithm used for its multifactor authentication products). Based upon the article, it was unclear if the “seed” values for the SecurID tokens were taken by the attackers. (may be able to generate fake numbers on tokens, allowing them to pass one layer of security for a customer utilizing RSA technology). With this information being stolen, the effectiveness of the authentication product would be greatly weakened; allowing attackers to mount a successful attack on RSA customers.
The type of attack that was carried out on RSA was an Advanced Persistent Threat (APT) attack. These types of attacks often target source code and other information that is found to be useful in espionage. They require knowledge of a company’s network, employees, and policies. Based upon the article, APT attacks usually use some form of social engineering (such as spear phishing) as well as exploiting hidden e-mail messages (malware; usually key for a successful attack). They then sneak keyloggers and other tools onto computers. These attacks are usually focused on intellectual property.
Based upon additional reading, attackers must continuously rewrite code and employ sophisticated evasions techniques so that they can stay undetected. The best method of detecting APT attacks is to locate anomalies in outbound data to locate the breach (review data logs).
What RSA Security reported was that attackers stole “certain information” including specifics associated with their SecurID two factor authentication products (such as the secrete algorithm used for its multifactor authentication products). Based upon the article, it was unclear if the “seed” values for the SecurID tokens were taken by the attackers. (may be able to generate fake numbers on tokens, allowing them to pass one layer of security for a customer utilizing RSA technology). With this information being stolen, the effectiveness of the authentication product would be greatly weakened; allowing attackers to mount a successful attack on RSA customers.
The type of attack that was carried out on RSA was an Advanced Persistent Threat (APT) attack. These types of attacks often target source code and other information that is found to be useful in espionage. They require knowledge of a company’s network, employees, and policies. Based upon the article, APT attacks usually use some form of social engineering (such as spear phishing) as well as exploiting hidden e-mail messages (malware; usually key for a successful attack). They then sneak keyloggers and other tools onto computers. These attacks are usually focused on intellectual property.
Based upon additional reading, attackers must continuously rewrite code and employ sophisticated evasions techniques so that they can stay undetected. The best method of detecting APT attacks is to locate anomalies in outbound data to locate the breach (review data logs).
2nd article: 5/10